Does Auth0 prevent the user to be logged in at two different places?

Hi @Auth0,
Scenario : Person Alice , logged-in to his laptop at example.com via Auth0 ( which provided the tokens : access_token_1 , id_token_1 , expires_in , … ) .

Again , Alice logged into another laptop at example.com via Auth0 which provided the tokens : access_token_2 , id_token_2 , expires_in , … ) .

Is there any feature/way in auth0 (dashboard) to make the first token illegal .

Sub-question(s) :

  1. Will the access_token be valid for the next 1.5 hours ( even if the user has logged out ) .

Hi there @adb, I wanted to reach out about your questions and see if I can assist.

Not currently but if you believe something like this would bring value please let us know at Auth0: Secure access for everyone. But not just anyone. so our product team can track and listen to these types of requests!

One of our Senior engineers gave a great answer to this prior which I will quote below. Paired with our logout documented attached, it should give you what you need to concur this request in your app.

Please let us know if you have any additional questions I can assist with, Thanks!

Hi @James.Morrison ,
I understood what @jmangelo has to say for the access_token, and I like his approach to the problem.
One question :
How can I revoke the access_token (before the expiry time) ?
Scenario :
During the logout procedure ( in JavaScript -api) , the custom-logout-method gets called ( which in-turn calls the auth0’s-logout-method ) , which then calls the "https://example.auth0.com/v2/logout " with “client_id” ,“returnTo” ,“auth0Client” . ( there’s no transfer of access_token or id_token " )

You can leverage this endpoint which will delete all associated grants and refresh tokens for a particular user ID:
curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}}

Please let me know if this helps you in your quest @adb or if you have any additional questions.

1 Like

Hi @James.Morrison ,
I was able to call “DELETE” : “https://mydomain.auth0.com/api/v2/grants?user_id=auth0|5cb02242da0d52353456801” .
It returned a HTTP : 204 No Content .

But , even after this i was able to call "https://mydomain.auth0.com/userinfo " , with the original/same access_token .

PS : I called /api/v2/grants , with access_token(in header) i received from calling “/oauth/token”

After talking with one of our senior engineers on this subject, I wanted to pass along the feedback I received. They recommend shortening the expiring time. To what extent, depends on your system architecture. Thanks!

Hi @James.Morrison ,

Just to be sure , you are talking about the access_token , right ?

I get this response from auth0 (in callback hash) :

access_token=(32 chars.)
&
scope=openid%20profile%20email
&
expires_in=7200
&
token_type=Bearer
&
state=(32 chars.)
&
id_token=(1152 chars.)

Where can I find the settings in the Dashboard , to decrease the time of the access_token .?

This can be altered at the Token Expiration (Seconds) field for your API in the Dashboard APIs section. Below is an article that dives into this more in depth. Thanks!

https://auth0.com/docs/tokens/guides/access-token/set-access-token-lifetime

1 Like

Hi @James.Morrison ,
I was able to change the value of expiry of access_token …
First I mapped the rest-api I wanted to secure ( Eg : https://test.example.com/api/v1 ") , by creating a new API-app ( in dashboard-> API section ) .
Then , in token settings , I changed the ‘Token Expiration (Seconds)’ and ‘Token Expiration For Browser Flows (Seconds)’ .
Then I called /userinfo after the time has expired (with access_token in header ), it returned HTTP-401.

Thanks…

1 Like

I’m glad to hear it all came together @adb and thank you for sharing the solution!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.